[arch-general] Iptables

NTS nts at gyatso.de
Tue Feb 11 15:15:46 UTC 2020


Hello Silvio,

First of all, great idea and nice script!

Two small things:

 - The ssh port is fixed as TCP port 12500.  Since 12500 >1024 this is
a non-priviledged port which is a security risk.  Ports < 1024 can
only be opened (here: state LISTEN) by root, others by everyone.  If a
user manages to crash your sshd then they can start their own service
at that port.  Even though ssh has protection against MitM by means of
key fingerprints the attacker can at least keep you from starting sshd
by blocking that port (not ideal on a remote server).

 - You test a Debian release version to see whether to use
/usr/sbin/iptables-nft or /usr/sbin/iptables .  More portable and more
simple would be to test for -x /usr/sbin/iptables-nft .

Best wishes,

NTS

On Tue, 11 Feb 2020 at 14:26, Genes Lists via arch-general
<arch-general at archlinux.org> wrote:
>
>
> Hi Silvio
>
> One general comment - your script uses the iptables command for each
> rule - this is extremely inefficient. This is probably not a big deal in
> your case but I'll mention it anyway.
>
> Far better way is to output the firewall in the same format as
> iptables-save uses, then simply use iptaples-restore to load the
> firewall rules - this reads the entire set of rules and ask the kernel
> to install them all in one shot. This is essentially just dropping the
> '$IPT' part for each rule plus a slightly different way to define chains
> and set the default policies.
>
> One way to see the format is simply to use iptables-save on existing
> firewall. This is the format used by iptables to save / restore rules.
>
> best
>
> gene


More information about the arch-general mailing list